Security Guidelines

Laurier Computer and Network Security Guidelines

The Laurier mission is dependent upon digital information, digital
information systems and digital information networks. The integrity of
these digital assets is vulnerable due to Laurier's dependency on the
public Internet. Consequently it is imperative that Laurier define
computer and network guidelines and actions which will allow the
university community to pursue their academic, research and
administrative requirements without compromising the integrity of our
digital assets.

Laurier's digital information should be classified as confidential, sensitive and public.

It is impossible and undesirable to treat all digital information equally. There is information that the university wants to publicize, there is information that the university needs for internal matters that could become public without serious harm to the university and there is information that the university is bound by internal policies and government statute to use only in specific contexts.

The confidential label should be applied to information and systems that are intended for use strictly within Laurier. Unauthorized disclosure of confidential information could seriously and adversely impact Laurier or its suppliers, business partners, employees or students. Information that some people would consider to be private is included in this classification. Examples include employee performance evaluations, students record, unpublished academic papers, computer passwords, research data sets collected under critical review process, etc. All logins and passwords residing for ITS servers and phone systems are classified as confidential.

The sensitive label applies to all other information that does not clearly fit into the confidential classification, while its unauthorized disclosure is against Laurier policy, it is not expected to seriously or adversely impact Laurier or its employees, suppliers, business partners, or students. Examples include Laurier telephone directory, new employee training materials, and internal policy manuals, etc.

The public label should be applied to information that has been approved by Laurier management for release to the public. By definition, there is no such thing as unauthorized disclosure of this information and it may be disseminated without potential harm. Examples include Laurier brochures, advertisements, courses information, and press releases.

If confidential information is stored on a desktop computer, the computer must be in a secure area or the information must be encrypted. If confidential information is stored on exchangeable media such as a CD, a DVD ,or a USB drive, the media must always be physically protected or the information must be encrypted. If confidential information is stored on mobile devices such as PDAs or laptop computers, the mobile device must always be physically protected or the information must be encrypted, and the mobile device must be protected by a password. Confidential information must never be copied, faxed or e-mailed without the permission of the owner. If confidential information is faxed, it must be faxed to an attended fax number; or if sent through the public Internet, it must be encrypted.

Sensitive information must not be copied, faxed or e-mail without the permission of the owner.

Members of the Laurier community must be made aware of the Laurier digital information taxonomy.

The ITS department and the Privacy Coordinator office will ensure that appropriate training is provided for members of the university community who handle confidential and sensitive information.

All traffic on the Laurier network must be attributable to an individual member of the Laurier community and to a particular network connection.

Digital systems and networks can be easily used for purposes that conflict with the Laurier mission.

The ITS department will maintain logs and procedures to identify the user of every networked device and will disable any device that interferes with the academic, research or administrative use of the Laurier network.

All computing devices (desktop computer, laptop computer, handheld computer, printer, switch, wireless access point or router) connected to the Laurier wired network must be owned by the university or purchased through research funds and must be securely configured.

It is impractical to securely configure other devices due to staffing and licensing issues.

The ITS department will regularly scan all network devices for vulnerabilities and intrusions and will maintain perimeter protection devices between the Laurier wired network and the Internet.

All computers running a version of the Microsoft Windows operating system must have Laurier approved virus protection software installed and the software must be configured to receive daily virus definition updates

All computers should be configured to receive the latest security patches for their operating system.

All computers should have a desktop firewall installed for their operating system, and the firewall should be configured to block all unnecessary incoming network connections.

The ITS department or designated departmental technical staff will be available to properly configure all university computers for safe network access as described above and to ensure that only approved devices are connected to the network.

The ITS department will also monitor the network to ensure no illicit devices have been connected to the network and to take action to disable any such devices.

All connections to the Laurier wireless network must be authenticated and all sessions must be encrypted.

Wireless networks are a low bandwidth resource and unencrypted traffic can be easily intercepted.

All wireless access points deployed on campus and connected to the Laurier data network must be approved and configured by the ITS department. The ITS department will ensure that software is available to connect securely to these access points.

The ITS department will ensure that wireless connectivity is made available in areas that are required by the Laurier community to pursue their administrative, educational and research needs.

The ITS department will regularly scan for rogue access points and will audit log files to ensure that only members of the Laurier community are connecting to the Laurier wireless network.

Passwords are the primary means at Laurier of ensuring that only authorized persons have access to confidential data.

The ITS department will provide training for users to choose good passwords and will ensure that any password access to Laurier systems from the Internet is encrypted. The ITS department will ensure that systems under its control are configured to force good password selection and regular password change. The ITS department will regularly scan systems for weak passwords.

Laurier Internet access must be used in a manner compatible with the Laurier mission.

All members of the Laurier community have direct access to the Internet and there will sometimes be confusion between personal recreational Internet use and use of the Internet for the academic, research and administrative requirements of the university.

The ITS department will provide user training on acceptable Internet usage. In particular the ITS department will insist that staff only load ITS approved software on their computers and will recommend the same to faculty. The ITS department will provide training to faculty and staff to never use the Internet for recreational purposes that put the digital assets of the university at risk. The ITS department will monitor lab, research and wireless connections to ensure that students do not use these assets in a way that conflicts with the Laurier mission.

Security Incidents should be addressed as soon as possible so as to limit the damage to the integrity of Laurier's digital assets.

The Internet is a dangerous environment and from time to time Laurier computers will be compromised in some manner. Users must report to the ITS department or an approved departmental technician any unusual behavior on their computer so as to minimize dangers to the integrity of Laurier digital assets. The ITS department will provide training to the Laurier community in regard to the kinds of behavior to be aware of and will notify the university community to security alerts received from trusted sources.

The Laurier community must be vigilant in detecting deceitful people who will use technology or human persuasion to gain access to Laurier's digital information.

Users must never give physical access to their computer to any person who does not provide the appropriate identification, must never provide confidential or sensitive information over the phone unless they recognize the caller as authorized for that information and must never provide confidential or sensitive information in an e-mail or a web page that has not been confirmed as trusted.

It is strongly recommended that all computers be locked through the use of a passworded screensaver when the computer is not physically attended. In addition the screensaver should be configured to activate after no more than fifteen minutes of inactivity.

The ITS department will provide training in regard to social engineering and phishing and will provide alerts to the community when such threats are active in our area.

Members of the Laurier community must ensure that confidential information is rendered unreadable before a storage medium is sent for disposal.

Erasure of digital information from disks, CD's etc. is frequently not sufficient to ensure that information cannot be retrieved.

Users must ensure computer hard drives that might contain confidential information are rendered unreadable before disposal and that all removable media that might contain confidential information are shredded. The ITS department will make resources available to the Laurier community to render hard drives unreadable and advise how to shred removable media.

Laurier digital information assets must be available on an as needed basis.

The ITS department will implement data backup procedures, network redundancy and a Disaster Recovery Policy so that except for ITS network maintenance windows and unforeseen outages, the Laurier digital network will be available on a 24x7 basis.

Network services such as e-mail, web hosting and remote shell must only be run on computers operated by the ITS department or on systems approved by the ITS department.

Poorly configured or out of date network service software can be used to compromise a computer.

The ITS department will operate computer systems to provide network services required for the Laurier mission.

When a department or an individual requires a computer system to run a specialized service, the ITS department will install and configure the system under a Service Level Agreement with the department or the ITS department will provide advice and approval for running the service on a computer operated by the department or individual.

Any action by a member of the Laurier community contrary to The Laurier Computer and Network Security Guidelines must be dealt with in a timely and effective manner.

It is expected that notification from the ITS Manager, Security will be sufficient to handle most security violations.

In the event of repeated or intentional security violations by an individual then the ITS Manager, Security in consultation with the ITS Director, will contact the individual's Manager to have the situation resolved.